Using FROST to attack a Galaxy Nexus

Let us offer this warning up front, while this is possible, it is certainly not something that the average user necessarily needs to be worried about happening. To begin with, the phone that is the subject of the attack ideally needs to have an unlocked bootloader. And well, many in the Android world likely realize that unlocked bootloaders are not something that is commonly found. First though, we are getting ahead of ourselves. This involves a pair of researchers from Erlangen University in Germany, a Galaxy Nexus smartphone, a cold boot attack and a tool called FROST.

The back story here goes to when Google released Ice Cream Sandwich and included the encryption feature. The researchers note that this feature "transparently scrambles user partitions" which in turn protects "sensitive user information against targeted attacks that bypass screen locks." They go on to say that "once the power of a scrambled device is cut any chance other than bruteforce is lost to recover data." Basically, they set out to prove that you can still get some information -- both from a device that has a locked bootloader and also from a device with an unlocked bootloader.

Enter FROST (Forensic Recovery of Scrambled Telephones) which when used in a cold boot attack, allowed them to gain the encryption keys from RAM. Here is where the locked bootloader comes into play. In order to break the encryption, the bootloader need to have been unlocked prior to the attack because the scrambled user partitions will be wiped during unlocking. The key to the research they have done, a cold boot attack allowed them access to some sensitive information -- despite the bootloader being locked. Some of the information they were able to retrieve included contact lists, visited web sites, and images.

Anyway, the short version of the process -- they placed a Galaxy Nexus inside a -15 degree Celsius freezer for 60 minutes (the cold temps are said to help preserve the memory for longer) and then booted the phone into fastboot mode and used the FROST recovery image along with a Linux computer. The end result and warning, the researchers have yet to publish their paper, however they have said this "reveals a significant security gap that users should be aware of." Plus, that it would be a useful tool for law enforcement. With that, those intersted will be able to find the report and additional research details on the FROST site.

Wait…what? You need to get my phone, freeze it and then hook it up to a computer. I will give you the pin code just so I feel like you didn’t waste your time. This is ridiculous. Its almost like cracking security by rewriting the OS and hoping that the new OS memory fits.

Evan Urkofsky

“…a significant security gap…”?? This is an interesting find, but not even close to what I would call a significant security gap.

Ryo Cook

“reveals a significant security gap that users should be aware of”

Yeah, extremely significant. *gasp*
I’ll bet they are Apple-Fans. How abstract is this attack. And only with an unlocked bootloader. Yeah, extremely significant for the average user… *sigh*